Index: i386/i386/pmap.c
===================================================================
RCS file: /home/ncvs/src/sys/i386/i386/pmap.c,v
retrieving revision 1.250.2.6
retrieving revision 1.250.2.7
diff -u -r1.250.2.6 -r1.250.2.7
--- i386/i386/pmap.c	2000/09/30 02:49:32	1.250.2.6
+++ i386/i386/pmap.c	2000/11/07 18:32:15	1.250.2.7
@@ -2322,8 +2322,11 @@
 		return;
 	}
 
-	if (psize + pindex > object->size)
+	if (psize + pindex > object->size) {
+		if (object->size < pindex)
+			return;		  
 		psize = object->size - pindex;
+	}
 
 	mpte = NULL;
 	/*
Index: miscfs/procfs/procfs_ctl.c
===================================================================
RCS file: /home/ncvs/src/sys/miscfs/procfs/procfs_ctl.c,v
retrieving revision 1.17.2.1
retrieving revision 1.17.2.2
diff -u -r1.17.2.1 -r1.17.2.2
--- miscfs/procfs/procfs_ctl.c	1999/08/29 16:26:51	1.17.2.1
+++ miscfs/procfs/procfs_ctl.c	2000/12/18 20:56:05	1.17.2.2
@@ -111,6 +111,19 @@
 {
 	int error;
 
+	/* Authorization check: rely on normal debugging protection, except
+	 * allow processes to disecgage debugging on a process onto which
+	 * they have previously attached, but no longer have permission to
+	 * debug.
+	 */
+	if (op != PROCFS_CTL_DETACH) {
+		if (securelevel > 0 && p->p_pid == 1)
+			return (EPERM);
+
+                if (!CHECKIO(curp, p) || !procfs_kmemaccess(curp))
+                        return (EPERM);
+	}
+
 	/*
 	 * Attach - attaches the target process for debugging
 	 * by the calling process.
@@ -123,10 +136,6 @@
 		/* can't trace yourself! */
 		if (p->p_pid == curp->p_pid)
 			return (EINVAL);
-
-		/* can't trace init when securelevel > 0 */
-		if (securelevel > 0 && p->p_pid == 1)
-			return (EPERM);
 
 		/*
 		 * Go ahead and set the trace flag.
Index: miscfs/procfs/procfs_status.c
===================================================================
RCS file: /home/ncvs/src/sys/miscfs/procfs/procfs_status.c,v
retrieving revision 1.12.2.3
retrieving revision 1.12.2.4
diff -u -r1.12.2.3 -r1.12.2.4
--- miscfs/procfs/procfs_status.c	1999/12/27 16:05:11	1.12.2.3
+++ miscfs/procfs/procfs_status.c	2000/11/29 10:15:00	1.12.2.4
@@ -53,6 +53,7 @@
 #include <vm/vm_param.h>
 #include <sys/exec.h>
 
+#define DOCHECK() do { if (ps >= psbuf+sizeof(psbuf)) goto bailout; } while (0)
 int
 procfs_dostatus(curp, p, pfs, uio)
 	struct proc *curp;
@@ -83,63 +84,82 @@
 /* comm pid ppid pgid sid maj,min ctty,sldr start ut st wmsg 
                                 euid ruid rgid,egid,groups[1 .. NGROUPS]
 */
+	KASSERT(sizeof(psbuf) > MAXCOMLEN,
+			("Too short buffer for new MAXCOMLEN"));
+
 	ps = psbuf;
 	bcopy(p->p_comm, ps, MAXCOMLEN);
 	ps[MAXCOMLEN] = '\0';
 	ps += strlen(ps);
-	ps += sprintf(ps, " %d %d %d %d ", pid, ppid, pgid, sid);
+
+	DOCHECK();
+	ps += snprintf(ps, psbuf + sizeof(psbuf) - ps,
+	    " %d %d %d %d ", pid, ppid, pgid, sid);
+	DOCHECK();
 
 	if ((p->p_flag&P_CONTROLT) && (tp = sess->s_ttyp))
-		ps += sprintf(ps, "%d,%d ", major(tp->t_dev), minor(tp->t_dev));
+		ps += snprintf(ps, psbuf + sizeof(psbuf) - ps,
+		    "%d,%d ", major(tp->t_dev), minor(tp->t_dev));
 	else
-		ps += sprintf(ps, "%d,%d ", -1, -1);
+		ps += snprintf(ps, psbuf + sizeof(psbuf) - ps,
+		    "%d,%d ", -1, -1);
 
 	sep = "";
 	if (sess->s_ttyvp) {
-		ps += sprintf(ps, "%sctty", sep);
+		ps += snprintf(ps, psbuf + sizeof(psbuf) - ps, "%sctty", sep);
 		sep = ",";
+		DOCHECK();
 	}
 	if (SESS_LEADER(p)) {
-		ps += sprintf(ps, "%ssldr", sep);
+		ps += snprintf(ps, psbuf + sizeof(psbuf) - ps, "%ssldr", sep);
 		sep = ",";
+		DOCHECK();
+	}
+	if (*sep != ',') {
+		ps += snprintf(ps, psbuf + sizeof(psbuf) - ps, "noflags");
+		DOCHECK();
 	}
-	if (*sep != ',')
-		ps += sprintf(ps, "noflags");
 
 	if (p->p_flag & P_INMEM)
-		ps += sprintf(ps, " %ld,%ld",
+		ps += snprintf(ps, psbuf + sizeof(psbuf) - ps, " %ld,%ld",
 			p->p_stats->p_start.tv_sec,
 			p->p_stats->p_start.tv_usec);
 	else
-		ps += sprintf(ps, " -1,-1");
+		ps += snprintf(ps, psbuf + sizeof(psbuf) - ps, " -1,-1");
 
 	{
 		struct timeval ut, st;
 
 		calcru(p, &ut, &st, (void *) 0);
-		ps += sprintf(ps, " %ld,%ld %ld,%ld",
+		ps += snprintf(ps, psbuf + sizeof(psbuf) - ps, 
+		    " %ld,%ld %ld,%ld",
 			ut.tv_sec,
 			ut.tv_usec,
 			st.tv_sec,
 			st.tv_usec);
 	}
 
-	ps += sprintf(ps, " %s",
+	ps += snprintf(ps, psbuf + sizeof(psbuf) - ps, " %s",
 		(p->p_wchan && p->p_wmesg) ? p->p_wmesg : "nochan");
 
 	cr = p->p_ucred;
 
-	ps += sprintf(ps, " %lu %lu %lu", 
+	ps += snprintf(ps, psbuf + sizeof(psbuf) - ps, " %lu %lu %lu", 
 		(u_long)cr->cr_uid,
 		(u_long)p->p_cred->p_ruid,
 		(u_long)p->p_cred->p_rgid);
+	DOCHECK();
 
 	/* egid (p->p_cred->p_svgid) is equal to cr_ngroups[0] 
 	   see also getegid(2) in /sys/kern/kern_prot.c */
 
-	for (i = 0; i < cr->cr_ngroups; i++)
-		ps += sprintf(ps, ",%lu", (u_long)cr->cr_groups[i]);
-	ps += sprintf(ps, "\n");
+	for (i = 0; i < cr->cr_ngroups; i++) {
+		ps += snprintf(ps, psbuf + sizeof(psbuf) - ps,
+		     ",%lu", (u_long)cr->cr_groups[i]);
+		DOCHECK();
+	}
+	ps += snprintf(ps, psbuf + sizeof(psbuf) - ps, "\n");
+	DOCHECK();
 
 	xlen = ps - psbuf;
 	xlen -= uio->uio_offset;
@@ -151,6 +171,9 @@
 		error = uiomove(ps, xlen, uio);
 
 	return (error);
+
+bailout:
+	return (ENOMEM);
 }
 
 int
